To gather insights on the state of application and data security, we spoke with 19 executives who are involved in application and data security for their clients.
Here’s who we talked to:
Sam Rehman, CTO, Arxan | Brian Hanrahan, Product Manager, Avecto | Philipp Schone, Product Manager IAM & API, Axway | Bill Ledingham, CTO, Black Duck | Amit Ashbel, Marketing, Checkmarx | Jeff Williams, CTO and Co-Founder, Contrast Security | Tzach Kaufman, CTO and Founder, Covertix | Jonathan LaCour, V.P. of Cloud, Dreamhost | Anders Wallgren, CTO, Electric Cloud | Alexander Polykov, CTO and Co-Founder, ERPScan | Dan Dinnar, CEO, HexaTier | Alexey Grubauer, CIO, Jumio | Joan Wrabetz, CTO, Quali | John Rigney, CTO, Point3 Security | Bob Brodie, Partner, SUMOHeavy | Jim Hietala, V.P. Business Development Security, The Open Group | Chris Gervais, V.P. Engineering, Threat Stack | Peter Salamanca, V.P. of Infrastructure, TriCore Solutions | James E. Lee, EVP and CMO, Waratek
Here's what they told us when we asked them, "What are the most common issues you see affecting application and data security?"
- OWASP top 10 – data from lots of vendors. Number one is injection, many types, SQL. XXE, LDAP, deserialization. Databases trust the applications yet bad code gets injected into the application and ingested into the database. We are not to a point where the SDLC prevents injection on every piece of data. It’s not data anymore, it’s all code.
- Control and certification of the data.
- Multiple access points, patch management, unnecessary enabled services lead to different vulnerabilities.
- Many organizations try to handle security with their systems administrators. They need security pros but it’s cost prohibitive to have them. Small companies are not able to protect themselves with Nation-states attacking in-house IT staffs.
- SSL being the way to open. Passwords not being secured. Platform takes care of deeper security. Responsibilities of the operator go lax due to the lack of education.
- Big companies have the staff needed to handle all of the security monitoring and updates. Start-ups do not have the staff, as such they need to be vigilant and run updates so they do not become compromised. We run a lot of WordPress sites. It’s a powerful content management system but highly targeted for hosting. It becomes a problem if you install plug-ins or do not perform updates. Bad plug-ins and lack of updates lead to hacks.
- Insufficient budgets to do what’s needed. Integration of security with enterprise architecture and development teams is being made worse by the Agile movement in which everything moves faster. Security has to be plugged in up front. If not, it gets left out during an Agile sprint.
- Platform security – focused on a product-oriented approach to security versus a strategic evaluation of risk of access to the data versus the latest and hottest security product. Losing view of what’s required to lock the platform down regardless of the vector of attack. Progression from laptop to endpoints to server platforms with different patterns of attack.
- The United.com situation demonstrates the cluelessness and lack of transparency. Are they really taking this stuff seriously? How good are they if they’re not transparent? Need to know what goals you are trying to accomplish?
- Secure way of collecting data by trained personnel and technology. Companies do not understand best practices of security, securing data, and how to address vulnerabilities or hacks.
- Don’t know what Open Source they have let alone what the vulnerabilities are. The average car has 100 million lines of code and most of it is open source. Need to provide better application security.
- The struggle of the handshake for security between outsiders and insiders. Focus on cloud DBaaS and the education required to move to the cloud. Analysis needs to keep up so you need to consider how to enable while maintaining security and monitoring.
- Separation between the dev team and the AppSec team. Getting the process to become the process. How to fix code.
- App security investment is increasing, but it still lags far behind network security. Gartner puts the ratio at 23:1 – yet more than 90% of attacks are aimed at the application layer. That results in a lot of incrementalism…and not a lot of innovation in app security.
- 1) Lack of visibility of the profile of the workload. 2) Security company stores data to information iteration – DevOps process feedback loop. 3) Vulnerability analysis to determine whether or not the software is the latest version. 4) Compliance driven PCI, HIPPA, financial services reports for customers with the ongoing compliance process. Accelerate to scale confidently.
- The ability to replicate real-life scenarios with live data that cannot be corrupted.
- There are a variety but a recent study on API Security revealed that 87% of survey participants had API Management in place but only 45% used basic rate limiting to prevent their systems from getting overloaded. So this is a very common problem that people, even if they have the right toolset in place, do not use it correctly.
- Not taking a holistic view of security. Focusing too much on the network and the web at the expense of the application.
- Patches and updates to Windows on a monthly or quarterly basis. Always make a back-up.
What are the most common issues you see around application and data security?